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ABSTRACT. Well-structured transition systems provide the right foundation to compute a finite basis 
of the set of predecessors of the upward closure of a state. The dual problem, to compute a finite 
representation of the set of successors of the downward closure of a state, is harder: Until now, the 
theoretical framework for manipulating downward-closed sets was missing. We answer this problem, 
using insights from domain theory (dcpos and ideal completions), from topology (sobrifications), and 
shed new light on the notion of adequate domains of limits. 



1. Introduction 

The theory of well-structured transition systems (WSTS) is 20 years old (9l[lTJ|2l. The most 
often used result of this theory ifTTTl is the backward algorithm for computing a finite basis of the 
set | Pre*{] s) of predecessors of the upward closure f s of a state s. The starting point of this 
paper is our desire to compute J. Post*{[ s) in a similar way. We then need a theory to finitely (and 
effectively) represent downward-closed sets, much as upward-closed subsets can be represented by 
their finite sets of minimal elements. This will serve as a basis for constructing forward procedures. 

The cover, J, Post* (I s), contains more information than the set of predecessors j Pre*(] s) 
because it characterizes a good approximation of the reachability set, while the set of predecessors 
describes the states from which the system may fail; the cover may also allow the computation of a 
finite-state abstraction of the system as a symbolic graph. Moreover, the backward algorithm needs a 
finite basis of the upward closed set of bad states, and its implementation is, in general, less efficient 
than a forward procedure: e.g., for lossy channel systems, although the backward procedure always 
terminates, only the non-terminating forward procedure is implemented in the tool TREX (H. 

Except for some partial results SIT] [13]], a general theory of downward-closed sets is missing. 
This may explain the scarcity of forward algorithms for WSTS. Quoting Abdulla et al. O: "Finally, 
we aim at developing generic methods for building downward closed languages, in a similar manner 
to the methods we have developed for building upward closed languages in (21 . This would give a 
general theory for forward analysis of infinite state systems, in the same way the work in |f2| is for 
backward analysis." Our contribution is to provide such a theory of downward-closed sets. 
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Related Work. Karp and Miller fl6l proposed an algorithm that computes a finite representation of 
the downward closure of the reachability set of a Petri net. Finkel introduced the WSTS frame- 
work and generalized the Karp-Miller procedure to a class of WSTS. This is done by constructing 
the completion of the set of states (by ideals, see Section and in replacing the ^-acceleration 
of an increasing sequence of states (in Petri nets) by its least upper bound (lub). However, there 
are no effective finite representations of downward closed sets in (9). Emerson and Namjoshi f7l 
considered a variant of WSTS (using epos, but still without a theory of effective finite representa- 
tions of downward-closed subsets) for defining a Karp-Miller procedure to broadcast protocols — 
termination is then not guaranteed 0. Abdulla et al. HI proposed a forward procedure for lossy 
channel systems using downward-closed languages, coded as SREs. Ganty, Geeraerts, and others 
|[T3l [T2l proposed a forward procedure for solving the coverability problem for WSTS equipped 
with an effective adequate domain of limits. This domain ensures that every downward closed set 
has a finite representation; but no insight is given how these domains can be found or constructed. 
They applied this to Petri nets and lossy channel systems. Abdulla et al. proposed another 
symbolic framework for dealing with downward closed sets for timed Petri nets. 

We shall see that these constructions are special cases of our completions (Section[3]). We shall 
illustrate this in Section HI and generalize to a comprehensive hierarchy of data types in Section [5] 
We briefly touch the question of computing approximations of the cover in Section [6l although we 
shall postpone most of it to future work. We conclude in Section |7J 

2. Preliminaries 

We shall borrow from theories of order, both from the theory of well quasi-orderings, as used 
classically in well-structured transition systems (2JQT1, and from domain theory EO. We should 
warn the reader that this is one bulky section on preliminaries. We invite her to skip technical points 
first, returning to them on demand. 

A quasi-ordering < is a reflexive and transitive relation on a set X. It is a (partial) ordering iff 
it is antisymmetric. A set X equipped with a partial ordering is a poset. 

We write > the converse quasi-ordering, « the equivalence relation < n >, < associated strict 
ordering (< \ «), and > the converse (> \ of <. The upward closure ] E of a set E is 
{y € X I 3x 6 E ■ x < y}. The downward closure lEis{yGX\3xGE-y< x}. A subset 
E of X is upward closed if and only if E = f E, i.e., any element greater than or equal to some 
element in E is again in E. Downward closed sets are defined similarly. When the ambient space 
X is not clear from context, we shall write [x E, ]x E instead of J. E, f E. 

A quasi-ordering is well-founded iff it has no infinite strictly descending chain, i.e., xq > x\ > 
. . . > Xi > . . .. An antichain is a set of pairwise incomparable elements. A quasi-ordering is well 
if and only it is well-founded and has no infinite antichain. 

There are a number of equivalent definitions for well quasi-orderings (wqo). One is that, from 
any infinite sequence xq,x±, . . . ,X{, . . ., one can extract an infinite ascending chain X{ < x^ < 

■ ■ ■ < Xi k < . . ., with io < i\ < . . . < ifc < Another one is that any upward closed subset 

can be written j E, with E finite. Yet another, topological definition lTT5l Proposition 3.1] is to 
say that X, with its Alexandroff topology, is Noetherian. The Alexandroff topology on X is that 
whose opens are exactly the upward closed subsets. A subset K is compact if it satisfies the Heine- 
Borel property, i.e., every one may extract a finite subcover from any open cover of K . A topology 
is Noetherian iff every open subset is compact, iff any increasing chain of opens stabilizes |[T5l 
Proposition 3.2]. We shall cite results from the latter paper as the need evolves. 
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We shall be interested in rather particular topological spaces, whose topology arises from order. 
A directed family of X is any non-empty family {xi) ieI such that, for all i,j G /, there is a k G I 
with Xi,Xj < Xfc. The Scott topology on X has as opens all upward closed subsets U such that 
every directed family {xi) i&1 that has a least upper bound x in X intersects U, i.e., Xi G U for 
some i £ I. The Scott topology is coarser than the Alexandroff topology, i.e., every Scott-open is 
Alexandroff-open (upward closed); the converse fails in general. The Scott topology is particularly 
interesting on dcpos, i.e., posets X in which every directed family (xj) ig/ has a least upper bound 

SUPj g / Xi. 

The way below relation <C on a poset X is defined by x < j/ iff, for every directed family 
( z i)i£i that has a least upper bound z > y, then Z{ > x for some i E I already. Note that x <^ y 
implies x < y, and that i' < i « y < y' implies x' <C y'. However, <C is not reflexive or 
irreflexive in general. Write f E = {y G X \ 3x G E ■ x <C y}, = {y G X \ 3x G E 1 • y <C x}. 
X is continuous iff, for every x G X, |x is a directed family, and has x as least upper bound. One 
may be more precise: A basis is a subset B of X such that any element a; € lis the least upper 
bound of a directed family of elements way below x in B. Then X is continuous if and only if it 
has a basis, and in this case X itself is the largest basis. In a continuous dcpo, fx is Scott-open for 
all x, and every Scott-open set U is a union of such sets, viz. U = {J xe u \x 0. 

X is algebraic iff every element x is the least upper bound of the set of finite elements below 
x — an element y is finite if and only if y <C y. Every algebraic poset is continuous, and has a least 
basis, namely its set of finite elements. 

N, with its natural ordering, is a wqo and an algebraic poset. All its elements are finite, so 
x <C y iff x < y. N is not a dcpo, since N itself is a directed family without a least upper bound. 
Any finite product of continuous posets (resp., continuous dcpos) is again continuous, and the Scott- 
topology on the product coincides with the product topology. Any finite product of wqos is a wqo. 
In particular, N fc , for any integer k, is a wqo and a continuous poset: this is the set of configurations 
of Petri nets. 

It is clear how to complete N to make it a cpo: let N w be N with a new element uj such that 
n < oj for all n G N. Then N w is still a wqo, and a continuous cpo, with x <C y if and only if x G N 
and x < y. In general, completing a wqo is necessary to extend coverability tree techniques ll9l[T3l. 
Geeraerts et al. (op. cit.) axiomatize the kind of completions they need in the form of so-called 
adequate domains of limits. We discuss them in Section [3] For now, let us note that the second 
author also proposed to use another notion of completion in another context, known as sobrification 
|[T5l . We need to recap what this is about. 

A topological space X is always equipped with a specialization quasi-ordering, which we shall 
write < again: x < y if and only if any open subset containing x also contains y. X is To if and 
only if < is a partial ordering. Given any quasi-ordering < on a set X, both the Alexandroff and the 
Scott topologies admit < as specialization quasi-ordering. In fact, the Alexandroff topology is the 
finest (the one with the most opens) having this property. The coarsest is called the upper topology; 
its opens are arbitrary unions of complements of sets of the form | E, E finite. The latter sets j. E, 
with E finite, will play an important role, and we call them the finitary closed subsets. Note that 
finitary closed subsets are closed in the upper, Scott, and Alexandroff topologies, recalling that a 
subset is closed iff its complement is open. The closure cl(A) of a subset A of X is the smallest 
closed subset containing A. A closed subset F is irreducible if and only if F is non-empty, and 
whenever F C F\ U F2 with Fi,F% closed, then F C fjorF C f 2 . The finitary closed subset 
I x = cl({x}) (x G X) is always irreducible. A space X is sober iff every irreducible closed subset 
F is the closure of a unique point, i.e., F = J, x for some unique x. Any sober space is To, and 
any continuous cpo is sober in its Scott topology. Conversely, given a Tq space X, the space S(X) 
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of all irreducible closed subsets of X, equipped with upper topology of the inclusion ordering C, is 
always sober, and the map rjs : x i— > | x i s a topological embedding of X inside <S(X). <S(X) is 
the sobrification of X, and can be thought as X together with all missing limits from X. Note in 
particular that a sober space is always a cpo in its specialization ordering [5 , Proposition 7.2.13]. 

It is an enlightening exercise to check that 5(N) is N w . Also, the topology on <S(N) (the upper 
topology) coincides with that of N w (the Scott topology). In general, X is Noetherian if and only 
if S{X) is Noetherian lTT5l Proposition 6.2], however the upper and Scott topologies do not always 
coincide |[T5l Section 7]. In case of ambiguity, given any poset X, we write X a the space X with 
its Alexandroff topology. 

Another important construction is the Hoare powerdomain H(X) of X, whose elements are 
the closed subsets of X, ordered by inclusion. (We do allow the empty set.) We again equip it with 
the corresponding upper topology. 

3. Completions of Wqos 

One of the central problems of our study is the definition of a completion of a wqo X, with all 
missing limits added. Typically, the Karp-Miller construction lfl6l works not with N fc , but with N£,. 
We examine several ways to achieve this, and argue that they are the same, up to some details. 

ADLs, WADLs. We start with Geeraerts et al. 's axiomatization of so-called adequate domain of 
limits for well-quasi-ordered sets X ifTBl . No explicit constructions for such adequate domains of 
limits is given, and they have to be found by trial and error. Our main result, below, is that there is 
a unique least adequate domain of limits: the sobrification S{X a ) of X a . (Recall that X a is X with 
its Alexandroff topology.) This not only gives a concrete construction of such an adequate domain 
of limits, but also shows that we do not have much freedom in defining one. 

An adequate domain of limits lfT3l (ADL) for a well-ordered set X is a triple (L, r<, 7) where 
L is a set disjoint from X (the set of limits); (Li) the map 7 : L U X — ► P(X) is such that 7(2) is 
downward closed for all z € L U X, and 7(2;) = [x x for all non-limit points x E X; (L2) there 
is a limit point T G L such that 7(T) = X; (L3) z ^ z' if and only if 7(2) C 7(2/); and (L4) for 
any downward closed subset D of X, there is a finite subset E C L U X such that •y(E) = D. Here 

7(£) = U e£ 7(4 

Requirement (L2) in lfT3l only serves to ensure that all closed subsets of L U X can be repre- 
sented as I lijx E for some finite subset E: the closed subset LUX itself is then exactly J, l u x {T}. 
However, (L2) is unnecessary for this, since L U X already equals [lux E by (L3), where E is 
the finite subset of L U X such that ■j(E) = LUlas ensured by (L4). Accordingly, we drop 
requirement (L2): 

Definition 3.1 (WADL). Let X be a poset. A weak adequate domain of limits (WADL) on X is any 
triple (L, ^,7) satisfying (Li), (L 3 ), and (L 4 ). 

Proposition 3.2. Let X be a poset. Given a WADL (L, ^,j)onX, 7 defines an order-isomorphism 
from (L U X, ^) to some subset ofTi(X a ) containing S(X a ). 

Conversely, assume X wqo, and let Y be any subset ofTt(X a ) containing S(X a ). Then (Y \ 
Vs{X a ), ^,7) is a weak adequate domain of limits, where 7 maps each x E X to [x x and each 
F E Y \ rjs(X a ) to itself; H is defined by requirement (L3). 

Proof. The Alexandroff-closed subsets of X are just its downward-closed subsets. So 7(2;) is in 
H(X a ) for all z, by (Li). Let Y be the image of 7. By (L3), 7 defines an order-isomorphism of 
L U X onto Y. It remains to show that Y must contain S(X a ). Let F be any irreducible closed 
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subset of X a . By (L4), there is a finite subset E C L U X such that F = \J xe E 7( x )- Since F is 
iiTeducible, there must be a single x G E such that F = j(x). So F is in Y. 

Conversely, let X be wqo, L = Y \ r]s(X a ), and 7, -< be as in the Lemma. Properties (Li) 
and (L3) hold by definition. For (L4), note that X a is a Noetherian space, hence S(X a ) is, too 
ITT51 Proposition 6.2]. However, by [15, Corollary 6.5], every closed subset of a sober Noetherian 
space is finitary. In particular, take any downward closed subset D of X. This is closed in X a , 
hence its image rjs(D) by the topological embedding 775 is closed in r]s(X a ), i.e., is of the form 
r)s{X a ) n F for some closed subset F of S{X a ). Also, D = rjg l {F). Since S(X a ) is both sober 
and Noetherian, F is finitary, hence is the downward-closure l$(x) E' °f some finite subset E' in 
S(X). Let E be the set consisting of the (limit) elements in E' n L, and of the (non-limit) elements 
x G X such that jx x G £/. We obtain 7(£7) = U^g-E' z - 0n tne other hand, D = ^(F) = {x G 
£i s{x) E'} = {x G X I 3z G £' • I x C z} = (J 2e ^ « = 7(#)- So (L 4 ) holds. ■ 

I.e., up to the coding function 7, there is a unique minimal WADL on any given wqo X: 
its sobrification S(X a ). There is also a unique largest one: its Hoare powerdomain H(X a ). An 
adequate domain of limits in the sense of Geeraerts et al. lfT3l . i.e., one that additionally satisfies 
(L2) is, up to isomorphism, any subset of H(X a ) containing S(X a ) plus the special closed set X 
itself as top element. We contend that S(X a ) is, in general, the sole WADL worth considering. 

Ideal completions. We have already argued that S(X), for any Noetherian space X, was in a sense 
of completion of X, adding missing limits. Another classical construction to add limits to some 
poset X is its ideal completion Idl(X). The elements of the ideal completion of X are its ideals, 
i.e., its downward-closed directed families, ordered by inclusion. Idl(X) can be visualized as a 
form of Cauchy completion of X: we add all missing limits of directed families (xj) ig/ from 
X, by declaring these families to be their limits, equating two families when they have the same 
downward-closure. In Idl(X), the finite elements are the elements of X; formally, the map rjjdi : 
X — > Idl(X) that sends x to J, x is an embedding, and the finite elements of Idl(X) are those of 
the form i]idi{x). It turns out that sobrification and ideal completion coincide, in a strong sense: 

Proposition 3.3 (El). For any poset X, S(X a ) = Idl(X). 

This is not just an isomorphism: the irreducible closed subsets of X a are exactly the ideals. 
Note also that Idl(X) is always an algebraic dcpo [5, Proposition 2.2.22, Item 4]. 

When X is wqo, any downward-closed subset of X is a. finite union of ideals. So (Idl(X) \ 
X, C, id) is a WADL on X. Proposition 13.21 and Proposition I3.3l entail this, and a bit more: 

Theorem 3.4. For any wqo X, S{X a ) = Idl(X) is the smallest WADL on X. 

Well-based continuous epos. There is a natural notion of limit in depos: whenever {xi) i£l is a 
directed family, consider sup ie/ xi. Starting from a wqo X, it is then natural to look at some dcpo 
Y that would contain X as a basis. In particular, Y would be continuous. This prompts us to define 
a well-based continuous dcpo as one that has a well-ordered basis — namely the original poset X. 

This has several advantages. First, in general there are several notions of "sets of limits" of 
a given subset A C Y, but we shall see that they all coincide in continuous posets. Such sets of 
limits are important, because these are what we would like Karp-Miller-like procedures to compute, 
through acceleration techniques. Here are the possible notions. First, define Luby (A) as the set 
of all least upper bounds in Y of directed families in A. Second, Indy(^4), the inductive hull of 
A in Y, is the smallest sub-depo of Y containing A. Finally, the (Scott-topological) closure cl(A) 
of A. It is well-known that cl (A) is the smallest downward closed sub-depo of Y containing A. 
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(Recall that any open is upward closed, so that any closed set must be downward closed.) In any 
dcpo Y, one has A C Luby (A) C Indy(A) C cl(A), and all inclusions are strict in general. E.g., 
in Y = No,, take A to be the set of even numbers. Then Luby (A) = Indy(A) = A U {lo} while 
cl(A) = Njj. While Luby(A) = Indy(A) in this case, there are cases where Luby(A) is itself not 
closed under least upper bounds of directed families, and one has to iterate the Luby operator to 
compute Indy (A). On continuous posets however, all these notions coincide iTTOl Appendix A]. 

Proposition 3.5. Let Y be a continuous poset. Then, for every downward-closed subset A of Y, 
Indy (A) = Luby(A) = cl(A). 

We shall use this in Section [6] The key point now is that, again, well-based continuous dcpos 
coincide with completions of the form S(X a ) or Idl(X), and are therefore WADLs ifTOl Appen- 
dix B]. This even holds for continuous dcpos having a well-founded (not well-ordered) basis: 

Proposition 3.6. Any continuous dcpo Y with a well-founded basis is order-isomorphic to Idl(X) 
for some well-ordered set X. One may take the subset of finite elements of X for Y.IfY is well- 
based, then X is well-ordered. 

4. Some Concrete WADLs 

We now build WADLs for several concrete posets X. Following Proposition 13.21 it suffices to 
characterize S{X a ). Although S{X a ) = Idl(X) (Proposition 13.31 ). the mathematics of S(X a ) is 
easier to deal with than Idl(X). 

N fc . We start with X = N fc , with the pointwise ordering. We have already recalled from lfl5l 
that «S(Nq) was, up to isomorphism, (N a; )' c , ordered with the pointwise ordering, where uj is a 
new element above any natural number. This is the structure used in the standard Karp-Miller 
construction for Petri nets ifloll . 

E*. Let E be a finite alphabet. The divisibility ordering | on E*, a.k.a. the subsequence (non- 
continuous subword) ordering, is defined by a\CL2---a n \ woa\Wia2 ■ ■ ■ a n w n , for any letters 
oi, a2, ■ ■ ■ ,a n £ E and words wo, w±, . . . , w n 6 E*. There is a more general definition, where 
letters themselves are quasi-well-ordered. Our definition is the special case where the wqo on let- 
ters is =, and is the one required in verifying lossy channel systems HI. Higman's Lemma states 
that | is wqo on E*. 

Any upward closed subset U of E* is then of the form f E, with E finite. For any element 
w = a\a2 ■ ■ ■ a n of E, f w is the regular language E*aiE*a2S* . . . E*a n E*. Forward analysis 
of lossy channel systems is instead based on simple regular expressions (SREs). Recall from HI 
that an atomic expression is any regular expression of the form a ? , with a 6 E, or A*, where A is 
a non-empty subset of E. When A = {a\, . . . , a m }, we take A* to denote (a\ + . ■ ■ + a m )*; a ? 
denotes {a, e}. A product is any regular expression of the form eie2 . • • e n (n € N), where each 
is an atomic expression. A simple regular expression, or SRE, is a sum, either or Pi + ... + 
where Pi, . . . , are products. Sum is interpreted as union. That SREs and products are relevant 
here is no accident, as the following proposition shows. 

Proposition 4.1. The elements of <S(E*) are exactly the denotations of products. The downward 
closed subsets o/E* are exactly the denotations of SREs. 

Proof. The second part is well-known. If F = Pi + . . . + P^ is irreducible closed, then by irre- 
ducibility k must equal 1, hence F is denoted by a product. Conversely, it is easy to show that any 
product denotes an ideal, hence an element of Idl(X) = S(X a ) (Proposition 13 .3 1 ). ■ 
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Inclusion between products can then be checked in quadratic time H). Inclusion between SREs 
can be checked in polynomial time, too, because of the remarkable property that Pi + . . . + P m C 
P[ + . . . + P' n if and only if, for every i (1 < i < m), there is a j (1 < j < n) with Pi C Pj [1] 
Lemma 1]. Similar lemmas are given by Abdulla et al. (3l Lemma 3, Lemma 4] for more general 
notions of SREs on words on infinite alphabets, and for a similar notion for finite multisets of 
elements from a finite set (both will be special cases of our constructions of Section [5]). This is 
again no accident, and is a general fact about Noetherian spaces: 

Proposition 4.2. Let X be a Noetherian space, e.g., a wqo with its Alexandroff topology. Every 
closed subset F of X is a finite union of irreducible closed subsets C\ , . . . , C m . If C[, . . . ,C' n are 
also irreducible closed, Then C\ U . . . U C m CCJU...U C' n if and only if for every i (1 < i < m), 
there is a j (1 < j < n) with Ci C Cj. 

Proof. For the first part, by the results of lfl5l . S(X) is Noetherian and sober, which entails that F 
can be written J. {xi, . . . , x m }; now take Ci = 1 < i < m (see iTlOl Appendix C] for 

details). The second part is an easy consequence of irreducibility. ■ 

Proposition 14.21 suggests to represent closed subsets of X as finite subsets A of S(X), inter- 
preted as the closed set UceA @. When X = X*, A is a finite set of products, i.e., an SRE. When 
X = N„, A is a finite subset of N*, interpreted as j A n N fc . 

Finite Trees. All the examples given above are well-known. Here is one that is new, and also more 
involved than the previous ones. Let T be a finite signature of function symbols with their arities. 
We let T k the set of function symbols of arity k; J^o is the set of constants, and is assumed to be 
non-empty. The set T{T) is the set of ground terms built from T . Kruskal's Tree Theorem states 
that this is well-quasi-ordered by the homeomorphic embedding ordering <, defined as the smallest 
relation such that, whenever u = f{u\, . . . , u m ) and v = g(vi, . . . , v n ), u < v if and only if u < Vj 
for some j, 1 < j < n, or / = g, m = n, and u\ < V\, 112 < V2, . . . , u m < v m . (As for S*, we take 
a special case, where each function has fixed arity.) 

The structure of S{T{F) a ) is described using an extension of SREs to the tree case. This uses 
regular tree expressions as defined in [6, Section 2.2]. Let K be a countably infinite set of additional 
constants, called holes □. Most tree regular expressions are self-explanatory, except Kleene star 
L*' D and concatenation L. n L'. The latter denotes the set of all terms obtained from a term t in L 
by replacing all occurrences of □ by (possibly different) terms from V . The language of a hole □ 
is just {□}. L*' D is the infinite union of the languages of □, L, L.nL, L. n L. n L, etc. 

Definition 4.3 (STRE). Tree products and product iterators are denned inductively by: 

• Every hole □ is a tree product. 

• f'(Pi, ■ ■ ■ , -Pfe) is a tree product, for any / G and any tree products Pi, ... , Pf.. We take 
/ 7 (Pi, . . . , P k ) as an abbreviation for f{P u . . . , P k ) + P 1 + . . . + P k . 

• (Sr=i^)*' D -n-^ > i sa product, for any tree product P, any n > 1, and any product 
iterators Ci over □, 1 < i < n. We write Y%=i C for Ci + C7 2 + . . . + C n . 

• /(Pi, . . . , Pfc) is a product iterator over □ for any / £ E^, where: 1. each Pj, 1 < i < A; is 
either □ itself or a tree product such that □ is not in the language of P;; and 2. Pj = □ for 
some i, 1 < i < k. 

A simple tree regular expression (STRE) is a finite sum of tree products. 

A tree regular expression is closed iff it has no free hole, where a hole is free in f(L\, ... ,L k ), 
L\ + . . . + Lfc, or in f'{L\, . . . , L k ) iff it is free in some Li, 1 < i < k; the only free hole in □ is 
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□ itself; the free holes of L* ,D are those of L, plus □; the free holes of L.nL' are those of L', plus 
those of L except □. E.g., f(a\b ? ) and + f(g 7 (b 7 ), D))*> a . n f (or , 6 ? ) are closed 

tree products. Then ifTOl Appendix D]: 

Theorem 4.4. The elements of S(T(J-) a ) are exactly the denotations of closed tree products. The 
downward closed subsets ofT(F) are exactly the denotations of closed STREs. Inclusion is decid- 
able in polynomial time for tree products and for STREs. 

5. A Hierarchy of Data Types 

The sobrification WADL can be computed in a compositional way, as we now show. Consider 
the following grammar of data types of interest in verification: 
D ::= N natural numbers 



By compositional, we mean that the sobrification of any data type D is computed in terms of the 
sobrifications of its arguments. E.g., S(D*) will be expressed as some extended form of products 
over S(D a ). The semantics of data types is the intuitive one. Finite products are quasi-ordered 
by the pointwise quasi-ordering, finite disjoint sums by comparing elements in each summand — 
elements from different summands are incomparable. For any poset X (even infinite), X* is the set 
of finite words over X ordered by the embedding quasi-ordering <*: w <* w' iff, writing w as the 
sequence of m letters a±a2 ■ ■ ■ a m , one can write w' as WQa' l wia' 2 W2 ■ ■ ■ w m -.\o! m w' m with a\ < a[, 
0.2 < a' 2 , . . . , a m < a' m . X® is the set of finite multisets {|xi, . . . , x n |} of elements of X, and is 
quasi-ordered by <®, defined as: {\x±, X2, ■ ■ ■ , x m \\ <® {\yi,y2, ■ ■ ■ , 2/n|} iff there is an injective 
map r : {1, . . . , m} —>■ {1, . . . , n} such that X{ < y r ^ for all i, 1 < i < m. When < is just 
equality, m <® m' iff every element of m occurs at least as many times in m' as in m: this is the 
< m quasi-ordering considered, on finite sets X, by Abdulla et al. E Section 2]. 

The analogue of products and SREs for D* is given by the following definition, which gen- 
eralizes the S* case of Section [4] Note that D is in general an infinite alphabet, as in 0. The 
following definition should be compared with 0]]. The only meaningful difference is the replace- 
ment of (a + e), where a is a letter, with C ? , where C 6 S{X a ). It should also be compared with 
the word language generators of E Section 6]. Indeed, the latter are exactly our products on A®, 
where A is a finite alphabet (in our notation, A<, with < given as equality). 

Definition 5.1 (Product, SRE). Let X be a topological space. Let X* be the set of finite words 
on X. For any A, B C X*, let AB be {ww' | w G A, w' G B}, A* be the set of words on A, 
A 1 = Au{e}. 

Atomic expressions are either of the form C ? , with C € S{X), or A*, with A a non-empty 
finite subset of S{X). Products are finite sequences e\e2 ■ ■ ■ e^, k G N, and SREs are finite sums of 
products. The denotation of atomic expressions is given by [C ] = C' , [yl*] = (UceA [CD*! °f 



products by {e x e 2 ...e k } = [ci] [e 2 fl . . . [e fe J; of SREs by [P x + ... + P k j = (J- =1 [Pi- 

Atomic expressions are ordered by C ? Q C 1 ' iff C C C"; C ? C A'* iff C C C' for some 
C G A'; A* % C /? ; A* C A'* iff for every C G A, there is a C G A' with C C C". Products ai-e 
quasi-ordered by eP C e'P iff (1) e £ e' and eP C P, or (2) e = C ? , e' = C /? , C C C and 
P E P', or (3) e' = A'*, e C A'* and P C e'P. We let = be C n 



I A< 
I £>i x 
I #i + 
I L»* 

D® 



finite set A, quasi-ordered by < 
x Dk finite product 
+ Dk finite, disjoint sum 



finite words 
finite multisets 
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Definition 5.2 (©-Product, ©-SRE). Let X be a topological space. For any A, B C X, let A 

B = {m W mf | m 6 A,m' G -B}, ^4® be the set of multisets comprised of elements from ^4, 
= {{\x\} | x 6 A} U {0}, where is the empty multiset. 

The ®-products P are the expressions of the form A® Q(fp . . . C© , where A is a finite 
subset of SUC), n G N, and Ci , . . . , C n G Their denotation [P] is (Ucgx c )® © [CiP © 

... [C„]P . They are quasi-ordered by P C P', where P = J 4®0(f Cp ... C© and 

P' = A'®QCf > QCP ... C;® - iff: (!) for ever y C G ^4, there is a C" G A' with C C C", 
and (2) letting I be the subset of those indices i, 1 < i < m, such that Ci C C" for no C" G A', 
there is an injective map r : I — > {1, . . . , n} such that Q C C^ for all i G I. Let = be C n 

Theorem 5.3. For every data type D, S(D a ) is Noetherian, and is computed by: <S(N a ) = N w ; 
s ( A < a ) = A <; S (( D i x • • • x D k)a) = S{D la ) x ... x S{D ka ); S{(D X + ... + D k ) a ) = 
S{Di a ) + . . . +<S(-Dfc a ); S(D*) is the set of products on D modulo = ordered by C (Definition \5. 1 D : 
S{D®) is the set of ®-products on D modulo = ordered by C (Definition \5.2\) . 

For any data type D, equality and ordering (inclusion) in S(D a ) is decidable in the polynomial 
hierarchy. 

Proof. We show that S(D a ) is Noetherian and is computed as given above, by induction on the 
construction of D. We in fact prove the following two facts separately: (1) S(D) is Noetherian (D, 
not D a ), where D is topologized in a suitable way, and (2) D = D a . 

To show (1), we topologize N and A< with their Alexandroff topologies, sums and products 
with the sum and product topologies respectively; X* with the subword topology, viz. the smallest 
containing the open subsets X*UiX*U 2 X* . . . X*U n X* , n G N, U\, U 2 , ■ ■ ■ , U n open in X; and 
X® with the sub-multiset topology, namely the smallest containing the subsets X® U\ U2 
. . . U n , n G N, where U\, U2, . ■ ■ , U n are open subsets of X. The case of N has already been 
discussed above. When A< is finite, it is both Noetherian and sober. The case of finite products is 
by Ifl5l Section 6], that of finite sums by 031 Section 4]. The cases of X* , resp. X®, are dealt with 
in ifTOl Appendices E, F]. 

To show (2), we appeal to a series of coincidence lemmas, showing that (X*) = X* and that 
(X®) a = X® notably. The other cases are obvious. 

Finally, we show that inclusion and equality are decidable in the polynomial hierarchy. For 
this, we show in the appendices that inclusion on S(D*) is C on products, and is decidable by a 
polynomial time algorithm modulo calls to an oracle deciding inclusion in S(D). This is by dynamic 
programming. Inclusion in S(D®) is C on ©-products, and is decidable by a non-deterministic 
polynomial time algorithm modulo a similar oracle. We conclude since the orderings on and on 
A< are polynomial-time decidable, while inclusion in S(D\ x . . . x D k ) = S(D\) x . . . x S(D k ) 
and in S{D\ + . . . + D k ) = S(Di) + . . . + S(D k ) are polynomial time modulo oracles deciding 
inclusion in S(D{), 1 < i < k. m 

Look at some special cases of this construction. First, N fc is the data type N x . . . x N, and we 
retrieve that S(N k ) = N*. Second, when A is a finite alphabet, A* is given by products, as given in 
the S* paragraph of SectionlH i.e., we retrieve the products (and SREs) of Abdulla et al. DJ. The 
more complicated case (A®)* was dealt with by Abdulla et al. We note that the elements of 
S((A®)*) are exactly their word language generators, which we retrieve here in a principled way. 
Additionally, we can deal with more complex data structures such as, e.g., (((N x A<)* x N)®)®. 

Finally, note that (1) and (2) are two separate concerns in the proof of Theorem 15.31 If we 
are ready to relinquish orderings for the more general topological route, as advocated in lfl5l . we 
could also enrich our grammar of data types with infinite constructions such as F(D), where P(_D) 
is interpreted as the powerset of D with the so-called lower Vietoris topology. In fact, S(F(X)) = 



442 



A. FINKEL AND J. GOUBAULT-LARRECQ 



TL{X) is Noetherian whenever X is, and its elements can be represented as finite subsets A of S{X), 
interpreted as IJceA C iTTOl Appendix G]. In a sense, while S(X a ) = Idl(X) for all ordered spaces 
X, the sobrification construction is more robust than the ideal completion. 

6. Completing WSTS, or: Towards Forward Procedures Computing the Cover 

We show how one may use our completions on wqos to deal with forward analysis of well- 
structured systems. We shall describe this in more detail in another paper. First note that any data 
type D of Section |5]is suited to applying the expand, enlarge and check algorithm [13] out of the 
box to this end, since then S(D a ) is (the least) WADL for D. We instead explore extensions of 
the Karp-Miller procedure [16], in the spirit of Finkel [jH or Emerson and Namjoshi [7:]. While the 
latter assumes an already built completion, we construct it. Also, we make explicit how this kind of 
acceleration-based procedure really computes the cover, i.e., j. Post*([ x), in Proposition 16. II 

Recall that a well-structured transition system (WSTS) is a triple S = (X, <. (#j)" =1 ), where 
X is well-quasi-ordered by <, and each Si : X — > X is a partial monotonic transition function. 
(By "partial monotonic" we mean that the domain of Si is upward closed, and 5, is monotonic on 
its domain.) Letting Pre(A) = (J ? n =1 ^(A), Pre°(A) = A, and Pre*(A) = [J fceN Pre k (A), 
it is well-known that any upward closed subset of X is of the form j E for some finite E C X, 
and that Pre*{\ E) is an upward-closed subset j E', E' finite, that arises as UfcLo P rek {\ E) for 
some m G N. Hence, provided < is decidable and 5^ l {] E) is computable for each finite E, it is 
decidable whether x G Pre*{\ E), i.e., whether one may reach j E from x in finitely many steps. 
It is equivalent to check whether y G J, Post*([ x) for some y G E, where Post(A) = UILi ^(^)> 
Post (A) = A, and Post* (A) = \J keN Post k (A). 

All the existing symbolic procedures that attempt to compute j Post* (I x), even with a fi- 
nite number of accelerations (e.g., Fast, Trex, Lash), can only compute subsets of the larger set 
Lub(j Post* (I x)). In general, Lub(j Post* (J. x)) does not admit a finite representation. On 
the other hand, we know that the Scott-closure cl{Post*{[ x)), as a closed subset of Idl(X) (in- 
tersected with X itself), is always finitary. Indeed, it is also a closed subset of S(X a ) (Proposi- 
tion l3.3b . which is represented as the downward closure of finitely many elements of S(X a ). Since 
Y = Idl(X) is continuous, Proposition 13.51 allows us to conclude that Luby(| Post*(l x)) = 
cl(Post*(l x)) is finitary — hence representable provided X is one of the data types of Section[5] 

This leads to the following construction. Any partial monotonic map f : X —>■ Y between 
quasi-ordered sets lifts to a continuous partial map Sf : S(X a ) — ► S(Y a ): for each irreducible 
closed subset (a.k.a., ideal) C ofS{X a ), either C n dom/ ^ and Sf(C) = [ f(C) = {y G Y | 
3x G C (~l dom / • y < f(x)}, or C fl dom/ = and Sf(C) is undefined. The completion of a 
WSTS 5 = (X, <, (Si)f =1 ) is then the transition system S = (S(X a ), C, («S^)f =1 ). 

For example, when X = N k , and S is a Petri net with transitions Si defined as 5i(x) = x + di 
(where di G Z fc ; this is defined whenever x + d G N fe ), then S is the transition system whose set of 
states is S(X) = N k , and whose transition functions are: S6{(x) = x + di, whenever this has only 
non-negative coordinates, taking the convention that oj + d = u> for any rfeZ. 

We may emulate lossy channel systems through the following functional-lossy channel systems 
(FLCS). For simplicity, we assume just one channel and no local state; the general case would only 
make the presentation more obscure. An FLCS differs from an LCS in that it loses only the least 
amount of messages needed to enable transitions. Take X = S* for some finite alphabet S of 
messages; the transitions are either of the form 5i(w) = wen for some fixed letter a, (sending a, onto 
the channel), or of the form 5i{w) = W2 whenever w is of the form w\diWi, with w\ not containing 
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at (expecting to receive ttj). Any LCS is cover-equivalent to the FLCS with the same sends and 
receives, where two systems are cover-equivalent if and only if they have the same sets J. Post*(F) 
for any downward-closed F. Equating <S(S*) with the set of products, as advocated in Section HJ 
we find that transition functions of the first kind lift to SS-i (P) = Pa\ , while transition functions 
of the second kind lift to: <SJj(e) is undefined, S5i(a ? P) = S5{(P) if a; t ^ a, S5i{a\P) = P, 
S5i(A*P) = SSi(P) if o» A, S5i(A*P) = A*P otherwise. This is exactly how Trex computes 
successors |fl] Lemma 6]. 

In general, the results of Section|5]allow us to use any domain of datatypes D for the state space 
X of S. The construction S then generalizes all previous constructions, which used to be defined 
specifically for each datatype. 

The Karp-Miller algorithm in Petri nets, or the Trex procedure for lossy channel systems, gives 
information about the cover [ Post* (I x). This is true of any completion 5 as constructed above: 

Proposition 6.1. Let S be a WSTS. Let Post be the Post map of the completion S. For any closed 
subset F ofS(X a ), Po~s~t(F) = cl(Post(FDX)), and Post* (F) = cl(Post*(FnX)). Hence, for 
any downward closed subset F of X, j Post(F) = X n Post(F), j Post*{F) = In Post* (F). 

Proof. Let F be closed in S{X a ). Po~s~t{F) = U-Li cl{5i{F)) = d(U"=i k(F)) = cl(Post(F)), 

since closure commutes with (arbitrary) unions. We then claim that Post (F) = cl{Post k {F)) for 
each k G N. This is by induction on k. The cases k = 0, 1 are obvious. When k > 2, we use 

the fact that, for any continuous partial map /: (*) cl(f(cl(A))) = cl(f(A)). Then Post (F) = 

\Jtid(5i(Po7t k ~\F))) = [Jti dmd(Post k -\F)))) = UtidiSiiPost"- 1 ^))) (by (*)) 

= cl{Post k (F)). Finally, Post* (F) = \J keN Po~s~t k (F) = U fcgN cl{Post k {F)) = cl{Post*(F)). 
We conclude, since for any A C X, [ A is the closure of A in X a ; the topology of X a is the 
subspace topology of that of S(X a ); so, writing cl for closure in S(X a ), [ A = X n cl(A). m 

Writing F as the finite union CiU. . .UC&, where C±, . . . , Cf. 6 S{X a ), Post(F) is computable 
as Ui<j i n <k ^i(Cii) U ■ • • U5(5 n (Cj n ), assuming S5i computable for each i. (We take S5j(Ci) 
to mean if undefined, for notational convenience.) Although SSi may be uncomputable even 
when 5i is, it is computable on most WSTS in use. This holds, for example, for Petri nets and lossy 
channel systems, as exemplified above. 

So it is easy to compute J, Post(l x), as (the intersection of X with) Post{{ x). Computing 

i Post* (I x) (our goal) is also easily computed as Post (J, x) (intersected with X again), using 
acceleration techniques for loops. This is what the Karp-Miller construction does for Petri nets, what 
Trex does for lossy channel systems (T). (We examine termination issues below.) Our framework 
generalizes all these procedures, using a weak acceleration assumption, whereby we assume that 
we can compute the least upper bound of the values of loops iterated k times, k € N. For any 
continuous partial map g : Y — > Y (with open domain) on a dcpo Y, let the iteration g be the 
map of domain dom g such that g(y) is the least upper bound of (5 fc (y))fe G ^ if 2/ < 9{v)> an d g{y) 
otherwise. Let A = {S5±, . . . , S5 n }, A* be the set of all composites of finitely many maps from 
A. Our acceleration assumption is that one can compute g(y) for any g £ A*, y G S(X a ). The 

following procedure then computes J, Post*([ x), as (the intersection of X with) Post (J, x), itself 
represented as a finite union of elements of S(X a ): initially, let A be {x}; then, while Post(A) % 
i A, choose fairly (g, a) G A* x A such that a G dom g and add g(a) to A. If this terminates, A 
is a finite set whose downward closure is exactly j Post* (J. x). Despite its simplicity, this is the 
essence of the Karp-Miller procedure, generalized to a large class of spaces X. 
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Termination is ensured for flat systems, i.e., systems whose control graph has no nested loop, as 
one only has to compute the effect of a finite number of loops. In general, the procedure terminates 
on cover-flattable systems, that is systems that are cover-equivalent to some flat system. Petri nets 
are cover-flattable, while, e.g., not all LCS are: recall that, in an LCS, J. Post* (I x) is always 
representable as an SRE, however not effectively so. 

7. Conclusion and Perspectives 

We have developed the first comprehensive theory of downward-closed subsets, as required for 
a general understanding of forward analysis techniques of WSTS. This generalizes previous domain 
proposals on tuples of natural numbers, on words, on multisets, allowing for nested datatypes, and 
infinite alphabets. Each of these domains is effective, in the sense that each has finite presenta- 
tions with a decidable ordering. We have also shown how the notion of sobrification S(X a ) was 
in a sense inevitable (Section [3]), and described how this applied to compute downward closures 
of reachable sets of configurations in WSTS (Section [6]). We plan to describe such new forward 
analysis algorithms, in more detail, in papers to come. 
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